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Abstract 


On  a  weekly  basis,  the  U.S.  Postal  Service  (USPS)  processes  over  one  million  packages  destined 
to  overseas  locations.  All  international  shipments  being  sent  from  the  United  States  are  subject  to 
federal  export  laws.  The  USPS  has  extensive  export  compliance  policies  and  screening  procedures 
to  ensure  that  customers  comply  with  federal  export  laws. 

Compliance  policies  and  screening  procedures  are  expensive  and  time  consuming,  and  can 
negatively  affect  the  efficiency  of  international  mail  delivery  services.  The  U.S.  Postal  Inspection 
Service  (USPIS)  has  defined,  developed,  and  successfully  implemented  an  innovative  approach 
for  export  screening  that  has  drastically  improved  its  efficiency,  effectiveness,  and  accuracy. 
Having  benefited  from  using  concepts  of  operational  resilience  management  to  improve  the 
security  and  resilience  of  USPS  products  and  services,  the  USPIS  team  conducted  its  new  export 
screening  project  using  a  structured  and  repeatable  approach  based  on  the  CERT  Resilience 
Management  Model  (CERT-RMM),  developed  by  the  Software  Engineering  Institute  at  Carnegie 
Mellon  University. 

This  report  describes  how  the  CERT-RMM  enabled  the  USPIS  to  implement  an  innovative 
approach  for  achieving  complex  international  mail  export  control  objectives.  The  authors  also 
discuss  how  this  USPIS  application  of  CERT-RMM  might  be  equally  applicable  to  other  shipping 
and  transportation  sectors  that  are  tasked  with  meeting  export  control  objectives. 
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1  Introduction 


In  the  spring  of  2012,  the  United  States  Postal  Inspection  Service  (USPIS)  Revenue,  Product,  and 
Global  Security  (RPGS)  organization  was  asked  to  assume  responsibility  for  improving  the  export 
screening  process  for  outbound  international  mail.  On  a  weekly  basis,  the  USPS  processes  well 
over  one  million  packages  to  overseas  locations.  With  this  increased  responsibility,  the  USPIS 
would  be  responsible  for  assuring  that  mailers  comply  with  specific  export  control  standards. 

Based  on  past  experience  with  the  Software  Engineering  Institute’s  CERT  Resilience 
Management  Model  (CERT-RMM),  the  USPIS  decided  to  use  this  model  as  the  foundation  for 
addressing  this  new  area  of  responsibility.  By  using  CERT-RMM,  the  USPIS  team  was  able  to 

•  define  compliance  objectives  that  an  export  screening  program  is  required  to  meet 

•  identify  relevant  practices  that  help  achieve  these  compliance  objectives 

•  through  awareness  and  training,  provide  a  common  language  that  helped  all  participating 
USPIS  staff  and  contractors  learn  quickly  and  be  able  to  apply  what  they  learned 

•  objectively  measure  operational  export  screening  performance  against  defined  objectives 

In  three  calendar  months,  the  USPIS  team  defined  specific  goals  and  practices  that  the  USPS  and 
USPIS  needed  to  achieve  and  developed  a  project  plan  for  doing  so;  defined  work  products  to 
guide  decision  making  on  what  outputs  to  produce;  and  took  a  complex,  overwhelming  task  and 
managed  it  using  common  criteria  to  define  and  implement  a  robust  export  screening  process 
[Crabb  2012].  In  eight  additional  months,  the  USPIS  team  developed  and  implemented  an  export 
screening  standard  operating  procedure,  implemented  new  and  updated  processes  and  systems, 
trained  key  personnel,  and  transitioned  operational  responsibility  to  an  operational  manager. 

The  authors  believe  that  this  USPIS  application  of  CERT-RMM  for  screening  international  mail 
to  meet  export  control  objectives  is  likely  relevant  for  organizations  faced  with  meeting  these 
objectives  for  other  types  of  goods.  This  application  also  provides  an  example  of  how  CERT- 
RMM  might  be  used  as  an  organizing  structure  for  planning  and  executing  new  programs. 
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2  Background 


2.1  USPS  and  USPIS 

The  USPS  is  rooted  in  a  single,  great  principle:  that  every  person  in  the  United  States — no  matter 
who,  no  matter  where — has  the  right  to  equal  access  to  secure,  efficient,  and  affordable  mail 
service  [USPS  2013].  This  principle  is  supported  by  the  mission  of  the  USPIS,  which  is  the  law 
enforcement  arm  of  the  USPS.  It  is  the  longest  standing  federal  law  enforcement  agency  in  the 
United  States,  dating  back  to  1772.  The  United  States  is  the  only  country  to  have  a  separate  and 
distinct  postal  inspection  service.  As  the  USPIS  describes  its  purpose, 

The  mission  of  the  U.S.  Postal  Inspection  Service  is  to  support  and  protect  the  U.S.  Postal 
Service  and  its  employees,  infrastructure,  and  customers;  enforce  the  laws  that  defend  the 
nation ’s  mail  system  from  illegal  or  dangerous  use;  and  ensure  public  trust  in  the  mail. ... 
Through  its  security  and  enforcement  functions,  the  USPIS  provides  assurance  to  American 
businesses  for  the  safe  exchange  of funds  and  securities  through  the  U.S.  Mail;  to  postal 
customers  of  the  “sanctity  of  the  seal”  in  transmitting  correspondence  and  messages;  and  to 
postal  employees  of  a  safe  work  environment  [USPIS  2013]. 

The  USPIS  is  responsible  for  protecting  the  security  of  the  USPS  brand  name,  facilities, 
information,  and  technical  assets.  It  enforces  over  200  U.S.  federal  statutes  addressing  electronic 
crimes,  mail  fraud,  mail  theft,  identity  theft,  child  exploitation,  and  prohibited  mailings  such  as 
bombs  and  biological  and  chemical  threats. 

Responsibilities  of  the  USPIS  RPGS  organization  include  investigating  cybercrime  and  revenue 
fraud  as  well  as  developing  secure  USPS  products.  RPGS  members  serve  as  the  liaison  to  global 
law  enforcement,  which  includes  promoting  more  effective  security  controls  through  forums  such 
as  Interpol  and  the  Universal  Postal  Union  (UPU).  The  UPU  has  been  an  innovative  user  of  the 
CERT-RMM  body  of  knowledge  and  has  supported  its  evolution  and  expansion. 

2.2  SEI  and  CERT 

The  Software  Engineering  Institute  (SEI)  is  a  federally  funded  research  and  development  center 
sponsored  by  the  U.S.  Department  of  Defense  and  based  at  Carnegie  Mellon  University,  a  global 
research  university  recognized  for  its  programs  in  computer  science  and  engineering.  Since  1984, 
the  SEI  has  been  helping  government  and  industry  organizations  acquire,  develop,  operate,  and 
sustain  software  systems  that  are  innovative,  affordable,  enduring,  and  trustworthy. 

Created  in  1988,  the  CERT  Division  at  the  SEI  is  recognized  as  a  trusted,  authoritative 
organization  dedicated  to  improving  the  security  and  resilience  of  computer  systems  and 
networks.  It  develops  and  executes  technical  projects  that  provide  unique  solutions  to 
cybersecurity  challenges  and  that  measurably  improve  the  security  of  the  cyber  environment.  The 
CERT  Division  partners  with  government,  industry,  law  enforcement,  and  academia  to  develop 
advanced  methods  and  technologies  to  counter  large-scale,  sophisticated  cyber  threats. 
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2.3  The  CERT  Resilience  Management  Model 


CERT-RMM  is  a  capability- focused  maturity  model  for  process  improvement  that  reflects  best 
practices  from  industry  and  government  for  managing  operational  resilience  across  the  domains  of 
security  management,  business  continuity  management,  and  aspects  of  information  technology 
(IT)  operations  management.  CERT-RMM  defines  operational  resilience  as  “the  emergent 
property  of  an  organization  that  can  continue  to  carry  out  its  mission  in  the  presence  of 
operational  stress  and  disruption  that  does  not  exceed  its  limit”  [Caralli  2011],  Operational 
resilience  is  an  organization’s  ability  to  protect  its  critical  assets  and  keep  essential  services  and 
processes  operating,  particularly  during  times  of  stress  and  disruption. 

Through  CERT-RMM,  these  best  practices  are  integrated  into  a  single  model  that  provides  an 
organization  with  a  transformative  path  from  a  silo-driven  approach  for  managing  operational  risk 
to  an  approach  focused  on  achieving  resilience  management  goals  and  supporting  the 
organization’s  strategic  direction.  Practices  focus  on  improving  the  organization’s  management  of 
key  operational  resilience  processes.  This  improvement  enables  high-value  services  to  meet  their 
missions  consistently  and  with  high  quality,  in  normal  and  adverse  conditions  [Caralli  2011], 

CERT-RMM  helps  to  ensure  that  the  organization’s  important  assets — people,  information, 
technology,  and  facilities — effectively  support  business  activities  and  services.  The  model  serves 
as  a  foundation  from  which  an  organization  can  measure  its  current  competency,  set  improvement 
targets,  and  establish  plans  and  actions  to  close  any  identified  gaps.  As  a  result,  the  organization 
repositions  and  repurposes  its  security,  business  continuity,  and  IT  operations  activities  and 
adopts  a  process  improvement  mindset  that  helps  to  keep  services  and  assets  productive  in  the 
long  term  [Allen  2012]. 

The  model  describes  a  process-based  framework  of  goals  and  practices  at  four  levels  of  increasing 
capability  (Incomplete,  Performed,  Managed,  and  Defined)  and  a  companion  appraisal  method.  It 
comprises  26  process  areas  (PAs),  shown  in  Table  1,  that  define  a  set  of  practices  that,  when 
implemented  collectively,  satisfy  a  set  of  goals  considered  important  for  effectively  managing  the 
organization’s  ability  to  be  operationally  resilient  [Caralli  2011], 


Table  1:  CERT-RMM  Process  Areas 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Definition 

Compliance 

Organizational  Process  Focus 

Controls  Management 

Organizational  Training  and  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resilience  Requirements  Development 

External  Dependencies  Management 

Resilience  Requirements  Management 

Financial  Resource  Management 

Resilience  Technical  Solution  Engineering 

Fluman  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  and  Control 

Technology  Management 

Knowledge  and  Information  Management 

Vulnerability  Analysis  and  Resolution 
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Users  of  the  model  select  the  PAs,  goals,  and  practices  that  apply  to  a  specific  objective  (such  as 
those  for  the  export  screening  of  international  mail)  and  ignore  the  rest.  It  is  critical  to  identify 
which  model  content  is  most  relevant  based  on  the  project  need  [Crabb  2012]. 

SEI  staff  members  were  not  involved  in  this  application  of  CERT-RMM  but  were  asked  by  the 
USPIS  to  conduct  interviews,  review  artifacts,  and  document  this  project  since  it  will  likely  serve 
as  the  basis  for  several  future  USPIS  projects. 

2.4  USPS  and  USPIS  Use  of  CERT-RMM 

Developing  and  implementing  measurable  methodologies  for  improving  the  security  and 
resilience  of  a  national  postal  sector  directly  contribute  to  protecting  public  and  postal  personnel, 
assets,  and  revenues.  Such  methodologies  also  contribute  to  the  security  and  resilience  of  the 
mode  of  transport  used  to  carry  mail  and  the  protection  of  the  global  mail  supply  chain. 

Since  2011,  the  USPIS  has  collaborated  with  the  CERT  Division  to  improve  the  resilience  of 
selected  USPS  products  and  services.  This  collaboration  has  included  projects  dealing  with 
incident  response,  export  screening,  authentication  services,  physical  security  and  aviation 
screening  for  international  mail,  Priority  Mail  Express  revenue  assurance,  and  development  of 
mail-specific  resilience  management  practices  for  mail  induction,  transportation,  delivery,  and 
revenue  assurance. 

These  efforts  are  more  fully  described  in  the  following  reports: 

•  A  Proven  Method  for  Identifying  Security  Gaps  in  International  Postal  and  Transportation 
Critical  Infrastructure  [Crabb  2013] 

•  Improving  the  Security  and  Resilience  of  U.S.  Postal  Service  Mail  Products  and  Sendees 
Using  the  CERfy  Resilience  Management  Model  [Crabb  2014] 

•  CERT  Resilience  Management  Model  Mail-Specific  Process  Areas:  Mail  Induction,  Version 
1.0  [Allen  2014a] 

•  CERT  Resilience  Management  Model  Mail-Specific  Process  Areas:  Mail  Revenue 
Assurance,  Version  1.0  [Allen  2014b] 

•  CER  T  Resilience  Management  Model  Mail-Specific  Process  Areas:  International  Mail 
Transportation,  Version  1.0  [Allen  2014c] 
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3  Export  Control  Challenges 


This  section  describes  export  control;  the  challenges  involved  in  screening  mail  to  meet  laws, 
regulations,  and  standards  for  export  control;  and  the  objectives  for  improving  the  export 
screening  process  using  CERT-RMM. 

3.1  What  Is  Export  Control? 

All  international  shipments  being  sent  from  the  United  States  and  its  possessions  or  territories  are 
subject  to  federal  export  laws  and  regulations  that  may  require  approval  for  or  otherwise  restrict 
what  can  be  sent  to  certain  countries,  individuals,  or  entities.  The  standards  apply  to  all  outbound 
international  mail  containing  goods  (i.e.,  not  letters  or  documents)  and  the  electronic  transfer  of 
certain  information  and  technologies  to  foreign  countries,  individuals,  and  entities  including 
foreign  nationals  within  the  U.S. 

Such  laws  and  regulations  are  designed  for  U.S.  national  security,  toward  combating  terrorism, 
crime  networks,  and  the  proliferation  of  weapons  of  mass  destruction.  They  also  protect  foreign 
policy  interests  (e.g.,  protecting  human  rights  and  promoting  democracy),  and  economic  interests 
(e.g.,  keeping  scarce  commodities  in  the  U.S.).  All  entities  shipping  internationally  from  the  U.S. 
are  required  to  comply  with  federal  export  laws  and  regulations.  Failure  to  comply  with  these 
regulations  can  result  in  civil  and  criminal  penalties. 

Export  control  laws,  regulations,  and  standards  are  established  by  a  number  of  U.S.  government 
agencies,  including  the  following  units  of  the  U.S.  Commerce  Department,  State  Department,  and 
Treasury  Department: 

•  Bureau  of  Industry  &  Security  (BIS) — Commerce 

•  Census  Bureau,  Foreign  Trade  Division — Commerce 

•  Office  of  Foreign  Assets  Control  (OFAC) — Treasury 

•  Directorate  of  Defense  Trade  Controls  (DDTC) — State 

•  Customs  and  Border  Protection  (CBP)1 

An  export  license  grants  pennission  to  conduct  a  certain  type  of  export  transaction.  Some 
international  shipments  may  be  subject  to  one  or  more  export  licenses  from  these  agencies.  Other 
countries  have  similar  export  control  laws  requiring  export  licenses  for  certain  items. 

3.2  Objectives  and  Challenges  of  Export  Control  at  USPS 

Given  the  wide-ranging  laws,  regulations,  and  standards  from  multiple  agencies,  screening  against 
violations  is  a  complex  process.  USPS  export  screening  policies  and  procedures  ensure  that  U.S. 
customs  declaration  data  is  collected  and  used  to  screen  for  restricted  items  being  sent  to  specific 


1  Only  CBP  has  Statutory/Constitutional  authority  to  routinely  open  mail  without  a  warrant  for  law  enforcement 
purposes.  USPS  and  USPIS  do  not  have  such  authority. 
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countries,  individuals,  and  entities  to  maintain  the  sanctity  of  the  U.S.  mailstream  and  protect  U.S. 
interests. 

Objectives  for  export  screening  include  ensuring  that  neither  the  sender  nor  the  recipient  of 
international  parcels  mailed  from  the  U.S.  is  listed  on  the  OFAC  Specially  Designated  Nationals 
(SDN)  list,  the  BIS  Denied  Parties  and  Entity  lists,  and  other  applicable  government  lists.  The 
USPS  also  must  ensure  that  unlicensed  restricted  content  is  not  sent  to  countries  subject  to 
comprehensive  embargoes,  such  as  North  Korea,  Cuba,  Sudan,  Iran,  and  Syria.  All  mailers  are 
required  to  comply  with  federal  laws,  regulations,  and  standards  for  export  control. 

The  USPS  and  USPIS  are  responsible  for  screening  all  relevant  parcels  for  potential  violations 
and  ensuring  that  parcels  that  do  not  meet  screening  standards  are  blocked  from  export.  If 
violations  occur,  the  USPS  and  USPIS  generate  investigative  leads  that  are  pursued  by  law 
enforcement  agencies.  To  help  prevent  violations,  the  USPS  and  USPIS  educate  mailers  to  ensure 
they  understand  their  responsibilities. 

The  implementation,  operational  use,  and  enforcement  of  export  screening  policies  and 
procedures  are  complex,  expensive,  labor-intensive,  and  time-consuming,  and  can  negatively 
affect  the  overall  efficiency  of  international  mail  delivery  services. 

3.3  Objectives  for  Improving  Export  Screening  at  USPS 

In  the  spring  of  2012,  RPGS  was  asked  to  assume  responsibility  for  improving  the  export 
screening  process  for  outbound  international  mail.  Faced  with  the  export  control  objectives  and 
challenges  described  above,  the  export  screening  project  team  defined  the  following  project 
objectives: 

•  Reduce  the  incidence  of  mail  shipments  violating  export  control  laws,  regulations,  and 
standards. 

•  Evaluate  current  processes  and  systems  and  identify  actions  required  to  improve  overall 
efficiency,  effectiveness,  and  accuracy.  Specific  goals  include 

Reducing  delays  in  processing  outbound  parcels. 

Reducing  excess  labor  costs  and  improve  the  efficiency  of  resources  used. 

•  Establish  and  improve  relationships  with  key  stakeholders. 

•  Establish  and  maintain  written  standard  operating  procedures  and  screening  parameters. 

•  Regularly  assess  and  improve  processes  and  systems,  including  staff  training. 

The  first  operational  capability,  intended  to  meet  many  of  these  objectives,  was  scheduled  to  be 
up  and  running  by  1  August  2012,  three  calendar  months  from  the  project  kickoff. 
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4  Development  of  the  New  Screening  Process 


4.1  “Walking  the  Model” 

The  export  screening  (ES)  project  team  first  met  with  key  stakeholders  to  understand  process 
flows  and  other  aspects  of  current  operations,  existing  gaps,  and  the  improvements  desired.  Team 
members  received  educational  briefings  to  familiarize  themselves  with  the  applicable  export 
control  laws,  regulations,  and  standards.  The  team  defined  high-level  project  expectations  and 
outcomes  for  the  following: 

•  Defining  and  managing  processes 

•  Identifying  and  assigning  required  resources 

•  Establishing  standard  operating  procedures 

•  Ensuring  a  smooth  transition  from  the  current  system 

•  Defining  the  division  of  responsibilities 

•  Identifying  required  data  sources  and  process  flows 

•  Identifying  required  law  enforcement  capabilities 

•  Addressing  regulatory  and  compliance  concerns 

Members  of  the  ES  project  team  were  very  familiar  with  CERT-RMM,  having  applied  it  to  a 
number  of  other  projects  and  risk  areas.  This  experience  led  the  ES  team  to  use  CERT-RMM  as 
the  organizing  structure  for  this  particular  improvement  effort.  The  team  examined  each  of  the  26 
process  areas  (PAs)  in  the  CERT-RMM  and  selected  the  PAs,  specific  goals,  specific  practices, 
and  work  products  that  would  be  most  applicable  for  achieving  the  goals  of  the  project  (referred 
to  as  “walking  the  model”).2  The  ES  team  organized  the  selected  PAs  into  eight  functional  areas, 
each  of  which  would  be  addressed  by  a  project  subteam.  The  functional  areas  and  the  applicable 
CERT-RMM  PAs  are  shown  in  Table  2. 


Table  2:  Export  Screening  Functional  Areas  and  Applicable  CERT-RMM  PAs 


Functional  Area 

CERT-RMM  Process  Area(s) 

Human  resources 

Human  Resource  Management  (HRM) 

Compliance/screening 

Compliance  (COMP) 

Controls  Management  (CTRL) 

Monitoring  (MON) 

Physical  controls  and  mail  security 

Environmental  Control  (EC) 

Communications 

Communications  (COMM) 

Information  management 

Measurement  and  Analysis  (MA) 

Training 

Organizational  Training  and  Awareness  (OTA) 

Incident  management 

Incident  Management  and  Control  (IMC) 

Measurement  and  monitoring 

Measurement  and  Analysis  (MA) 

Monitoring  (MON) 

A  similar  process  is  used  for  determining  the  scope  of  a  CERT-RMM  appraisal. 
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A  subteam  was  formed  for  each  functional  area,  RPGS  staff  agreed  to  roles  and  responsibilities, 
and  each  subteam  defined  their  respective  project  plans  for  developing  the  work  products  called 
for  in  the  applicable  PAs.  For  example,  in  the  Compliance  domain,  the  ES  team  selected  the 
following  specific  practices: 

•  C0MP:SG1.SP1,  Establish  a  Compliance  Plan 

•  COMP: SGI .SP2,  Establish  a  Compliance  Program 

•  COMP:SGl.SP3,  Establish  Compliance  Guidelines  and  Standards 

•  COMP:SG2.SPl,  Identify  Compliance  Obligations 

•  COMP:SG2.SP3,  Establish  Ownership  for  Meeting  Obligations 

•  COMP:SG3.SPl,  Collect  and  Validate  Compliance  Data 

Among  the  work  products  the  team  identified  as  output  from  these  practices  were  a  staffing  plan, 
a  budget  plan,  an  inventory  of  compliance  obligations,  the  definition  of  compliance  reports  (to 
demonstrate  compliance),  a  data  collection  strategy,  and  workroom  floor  job  aids. 

The  CERT-RMM  guidance  served  as  the  basis  for  project  implementation,  including  making 
updates  to  existing  processes  and  systems,  developing  new  processes  and  systems,  and  handling 
other  aspects  of  the  activities  described  in  the  next  section. 

4.2  Subteam  Activities 

The  ES  subteams  performed  some  of  the  following  activities  as  part  of  their  development  process: 

•  Reviewed  and  inventoried  all  relevant  export  control  laws,  regulations,  and  standards  from 
the  multiple  U.S.  government  agencies  involved. 

•  Defined  and  documented  the  changes  necessary  to  facilitate  more  effective  export  screening, 
both  on  the  front  end  and  back  end  of  the  screening  process.  This  activity  involved  having 
access  to  electronic  customs  data  for  all  parcels  on  the  front  end,  for  example,  and 
identification  of  mailer  violations  of  export  control  standards  at  USPS  International  Service 
Centers  (ISCs)  on  the  back  end. 

•  Defined  and  documented  impacts  on  current  mail  handling  processes  from  the  perspective  of 
both  the  USPS  and  the  USPIS. 

•  Described  scenarios  to  use  for  defining  and  testing  the  completeness  of  the  new  processes, 
such  as  ( 1)  What  customs  form  should  a  customer  use  to  send  $500  of  toys  weighing  two 
pounds  to  Peru?  To  Cuba?  To  North  Korea?  and  (2)  A  Priority  Mail  Express  package  with 
$10  of  aspirin  from  Joe’s  Pharmacy  is  being  shipped  to  Fatima  in  Syria.  Should  the  ES 
system  pass  or  hold  the  item? 

•  Defined  a  transition  plan  for  each  ISC  with  the  objective  that  ISC  program  managers  are 
trained  sufficiently  to  manage  export  screening  activities  at  their  respective  ISCs  and  to  train 
all  of  their  contractors  on  their  responsibilities  and  tasks.  All  program  managers  agreed  to 
start  the  new  ES  process  on  August  1,2012  and  work  closely  with  their  staff  and  contractors 
to  ensure  they  were  adequately  trained. 

•  Developed  new  and  updated  position  descriptions  for  the  new  ES  process. 

•  Developed  and  updated  ES  data  analysis  tools  and  reporting  queries. 
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4.3  Training,  Rollout,  and  Monitoring 


In  early  July  2012,  the  ES  team  defined  the  transition  plan  for  each  of  the  five  ISCs,  which  have 
the  responsibility  for  conducting  export  screening  of  outbound  international  mail.  In  late  July,  the 
ES  team  conducted  an  intensive  one-week  course  to  train  ISC  leadership  in  using  the  new  ES 
processes  and  systems.  On  1  August,  after  only  three  months  and  as  planned,  operational 
responsibility  for  ES  was  transferred  from  the  USPS  to  the  USPIS. 

During  August  and  September,  members  of  the  ES  team  visited  and  conducted  additional  training 
at  specific  ISCs.  USPS  staff  and  contractors  attended  the  training,  and  testing  was  administered  at 
the  completion  of  each  course  to  determine  who  required  additional  training  and  who  could  serve 
as  mentors  at  each  ISC  facility.  Members  of  the  ES  team  participated  in  additional  training 
conducted  by  the  Consortium  of  Export  Control  Regulators  for  further  education  and  to  collect 
information  necessary  to  develop  a  USPS  standard  operating  procedure  (SOP)  for  ES.  The  SOP 
was  finalized  in  November  2012  and  training  on  the  SOP  was  conducted  at  the  ISCs. 

In  March  2013,  the  ES  team  conducted  advanced  ES  training  for  ISC  supervisors  and  continued  to 
update  ES  processes  and  systems  to  reflect  updates  to  specific  country  export  control  laws  and 
regulations.  In  the  March/ April  20 1 3  time  frame,  operational  responsibility  for  the  updated  and 
improved  ES  data  system  was  transitioned  from  the  ES  team  to  the  team  having  operational 
responsibility. 

After  the  operational  transition,  the  RPGS  team  commenced  monitoring,  control  review,  and  data 
analysis  of  the  ES  process  using  a  Lean  Six  Sigma  process.  This  project  had  the  following  goals: 

•  Determine  if  the  current  workforce  is  the  right  size  for  the  export  screening  operation. 

•  Identify  and  measure  the  current  IS  export  screening  process  at  each  of  the  five  ISCs. 

•  Perform  a  gap  analysis  on  the  export  screening  process  to  identify  opportunities  to  remove 
waste,  reduce  cycle  time,  and  eliminate  inefficient  processes. 

The  team  developed  a  detailed  process  flow  and  generated  regular  performance  optics  and  error 
rate  analysis  results.  For  the  remainder  of  2013,  the  RPGS  team  served  as  consultants  to  the 
operational  team. 

Figure  1  summarizes  the  development  processes  used  by  the  ES  project  team. 
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Figure  1:  Export  Screening  Development  Process 


4.4  The  Resulting  Export  Screening  Process 


A  detailed  description  of  the  new  export  screening  process  that  resulted  from  the  ES  team’s 
development  work  is  beyond  the  scope  of  this  report;  however,  Figure  2  and  Figure  3  depict  a 
high-level  view  of  these  processes.  (In  Figure  2,  induction  involves  acceptance  of  the  mail  into  the 
mailstream  and  all  necessary  validation.) 
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Figure  2:  Induction  and  Processing  of  International  Mail 
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Figure  3:  The  Export  Screening  Process 


Customers  may  submit  their  mail  into  the  mailstream  at  several  points.  During  this  phase, 
information  from  the  customs  declaration  form  is  validated  and  the  mailpiece  is  given  an 
acceptance  scan. 

Customs  declaration  data  is  subject  to  export  screening  while  the  associated  mailpieces  are  in 
transit  to  the  ISC,  and  suspicious  mailpieces  are  flagged  for  additional  review  at  the  ISC. 

At  the  ISC,  the  information  obtained  in  the  induction  phase  with  the  acceptance  scan  is  used  to 
sort  the  mailpieces.  If  the  mailpiece  does  not  need  to  be  held  or  delayed  for  further  review,  it  is 
then  dispatched  to  its  final  destination. 

Mailpieces  that  receive  a  hold  are  sent  to  the  USPIS.  The  USPIS  may  send  the  mailpiece  to  other 
appropriate  agencies  for  additional  review  as  required. 
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5  Benefits,  Improvements,  and  Conclusions 


The  ES  project  met  all  defined  standards,  objectives,  and  project  and  stakeholder  expectations,  on 
budget,  and  on  schedule.  It  is  actively  in  use  today  at  all  five  ISCs,  which  are  responsible  for 
processing  all  outbound  international  mail. 

5.1  Benefits 

The  benefits  of  the  approach  taken  by  the  ES  project  team  included  the  following: 

•  The  team  defined  objectives  that  an  export  screening  program  needed  to  meet,  identified 
relevant  practices  to  achieve  these  objectives,  and  objectively  measured  and  improved 
operational  export  screening  perfonnance  against  these  objectives. 

•  All  ES  team  members  spoke  a  common  language  based  on  CERT-RMM  goals,  practices, 
and  work  products. 

•  Subteam  roles  and  responsibilities  were  well  defined. 

•  Through  awareness  and  training,  the  ES  team  provided  a  common  language  for  export 
screening  that  helped  all  participating  USPIS  staff  and  contractors  leam  quickly  and  be  able 
to  apply  what  they  learned.  As  a  result,  there  was  a  strong  sense  of  ownership  of  new  ES 
processes  and  systems  by  the  staff. 

•  Relationships  with  key  stakeholders  were  established  and  continue  to  be  maintained. 

5.2  Improvements 

The  successful  execution  of  the  ES  project  resulted  in  the  following  improvements: 

•  A  written  standard  operating  procedure  was  developed  and  is  being  maintained. 

•  There  is  regular  measurement  and  evaluation  of  ES  processes  and  systems  using  a  Lean  Six 
Sigma  process  and  continual  improvements. 

•  There  has  been  a  reduction  in  delays  associated  with  processing  outbound  parcels. 

•  There  is  increased  efficiency  in  how  staff  and  technology  resources  are  used. 

•  There  is  increased  accuracy  in  how  parcels  that  require  export  screening  are  identified. 

•  There  is  reduced  risk  of  dispatching  parcels  that  violate  export  control  laws  and/or  that  may 
be  of  interest  to  fellow  law  enforcement  agencies. 

5.3  Conclusions 

USPIS  RPGS  leadership  has  stated  that  this  project  would  not  have  been  successful  in  the 
required  timeframe  without  the  use  of  CERT-RMM  as  the  foundational  architecture  and  structure 
for  this  development  effort. 

While  CERT-RMM  is  generally  recognized  as  a  comprehensive  body  of  knowledge  for 
improving  operational  resilience  processes,  this  project  also  demonstrated  how  CERT-RMM  can 
be  used  as  an  organizing  structure  for  planning  and  executing  new  programs  and  in  establishing 
new  functional  capability  within  an  organization. 


CMU/SEI-2015-TN-001  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 


12 


The  authors  believe  that  the  USPIS  application  of  CERT-RMM  for  screening  international  mail  to 
meet  export  control  objectives  is  likely  relevant  for  organizations  and  operators  in  postal, 
shipping,  and  other  transportation  sectors  faced  with  meeting  these  objectives  for  other  types  of 
goods. 
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This  report  describes  how  the  CERT-RMM  enabled  the  USPIS  to  implement  an  innovative  approach  for  achieving  complex  international 
mail  export  control  objectives.  The  authors  also  discuss  how  this  USPIS  application  of  CERT-RMM  might  be  equally  applicable  to  other 
shipping  and  transportation  sectors  that  are  tasked  with  meeting  export  control  objectives. 
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